The Novell® BorderManager® Virtual Private Network (VPN) client software allows a workstation to communicate securely over the Internet to a network protected by a Novell VPN server.
Following is the list of new features for Novell BorderManager 3.9 VPN client for Windows*:
Client changes: Hybrid and pre-shared key in the xauth mode of authentication are supported in the client.
Client GUI changes: Drop-down boxes have replaced the radio buttons used for selecting the authentication mode.
The Novell BorderManager 3.9 VPN Client provides the user with an X.509 certificate to perform the IKE main mode of authentication. The certificate should be copied to the local workstation (<drive>:\novell\vpnc\certificates\users) from which the VPN software is to be executed.
The Novell VPN client is integrated with Novell Modular Authentication Services (NMASTM). NMAS works with the Novell Client. Install the Novell Client to benefit from the NMAS functionality.
Select the NMAS option in the Configuration tab and provide NMAS user information and credentials in the eDirectory tab. In the VPN tab, provide the VPN server IP address and NMAS sequence (for example, NDS/eDirectory, Universal Smart Card, Simple Password).
Select NMAS, then select the LDAP box on the Configuration tab. Go to the VPN tab and specify the VPN server IP address and LDAP user DN (for example, CN=Admin,O=Novell). The LDAP method displays a dialog box for the credential.
Select the Backward Compatibility mode on the Configuration tab. Provide eDirectory credentials in the eDirectory tab. In this mode, the Novell BorderManager 3.9 client can talk to the Novell BorderManager 3.8. The ActiveCard token authentication is enabled if NMAS is installed on the client. The ActiveCard token authentication method works if the ActiveCard token method is configured for the user in eDirectory. The VPN tab requires credentials for ActiveCard token method.
Select Pre-shared Authentication mode on the Configuration tab. Go to the VPN tab and provide password for the pre-shared key configured in the VPN server.
Provide the VPN server IP address, username, password and the pre-shared key. The username is in full DN name format. For example, user3.novlcontext.
The pre-shared key is used for IKE phase1 authentication. The same pre-shared key should also be configured on the server.
NOTE: While connecting to the Novell BorderManager Server, use the policy editor to put the IKE mode in main mode along with PFS=yes.
Provide the VPN server IP address, username, and password. The user must copy the trusted root certificate corresponding to the server.
NOTE: Xauth Hybrid mode is supported in aggressive mode only. This is enabled in the policy editor.
This version of the Novell VPN Client can integrate with the Novell Client for Windows 98, Windows NT, Windows 2000, Windows XP Professional or Windows XP Home. Re-start the machine after installing the new VPN client. During re-start, the VPN client integrates with the Novell Client. After the system comes up, the Novell Login screen has a Location drop-down list. The list contains the default entry as well an entry for the VPN capabilities. You can select any of the locations, depending on the operation to be performed.
Four new tabs are available that can be configured in a Service Instance by selecting Novell Client32 Properties. The four tabs do the following:
The Novell Client 4.91 and later updates the NMAS Client to version 3.0. If the VPN Client is installed after Novell Client installation and you choose to install the NMAS Client at that time, NMAS does not work with the Novell Client 4.91. To use the Novell Client 4.91, do one of the following:
This version of the VPN client for Windows 98, Windows NT, Windows 2000, and Windows XP uses NICI (128-bit) encryption because there is no export restriction with NICI.
The VPN client requires "kernel NICI" (NICI 1.7.0) for the cryptographic requirements of the kernel module vptunnel.sys and "user NICI" (NICI 2.6.0) for the cryptographic requirements of user-space modules such as ikeapp.exe and vpnlogin.exe. If NICI 1.7.0 (128-bit version) is not installed, the VPN Setup program installs it. This version of NICI overwrites NICI 1.5.7 (56-bit) or NICI 1.5.3 (56/128-bit), but not NICI 2.6.0. If NICI 2.6.0 is installed, NICI 1.7.0 and 2.6.0 will co-exist.
On Windows 98 and Windows Me, you can select a dial-up entry of any server type. Previously (with Novell BorderManager Enterprise Edition 3.0), you could only select dial-up entries of type Novell Virtual Private Network. All entries must be configured to negotiate only for TCP/IP connections. If you want to invoke the VPN client from Dial-Up Networking instead of vpnlogin.exe, then the dial-up entry that you select from Dial-Up Networking must be of server type Novell Virtual Private Network; otherwise, vpnlogin.exe is not spawned after the dial-up connection has been established.
On Windows NT, you can select a dial-up entry of any server type. There is no Novell Virtual Private Network server type in the Dial-Up Networking selection on Windows NT.
If there is a dial-up requirement, install dial-up networking before installing the VPN client.
When you make your dial-up entry selection from VPNLogin.exe, choose entries that do not enable Point-to-Point Protocol (PPP) compression. Compressing data that has been encrypted incurs unnecessary CPU overhead and does not offer any savings in the size of the packets being sent.
Install the modem, then install the VPN Client.
During VPN client installation, if you choose to use Dial-Up Networking, the VPN client installation creates a Novell VPN dial-up entry for you.
During VPN Client login, the eDirectory user is notified if the user's eDirectory password has expired and grace logins are being used. The user is also be given an option to change the eDirectory password during VPN Client login. This option is also provided on the VPN Client system tray icon. The user see the change password option only if he or she is using eDirectory credentials for VPN/NetWare login from the VPN Client application. Change password will fail in the case of contextless login. It requires all eDirectory user credentials.
The policy (traffic rule) specified by the administrator in eDirectory is applied on the client. If a policy is changed for that particular VPN user while a VPN session is active, the changes are not be reflected until the next session.
The silent install feature allows the installation to be completed without user input. If the Dial-Up option is selected, some user intervention might be required if the workstation does not have the Dial-Up Networking or RAS components.
To use this feature, run setup.exe with a switch to create a response file that contains the answers to all the questions normally asked during installation. Because this includes selection of the dial-up client, the LAN client, or both, you might need to create multiple response files based on user needs.
After creating the response file, you can then run setup.exe with a different switch to use the response file so that installation requires minimal user intervention. There is also a switch to generate a log file for the silent install. This can be used to verify that the install completed successfully, or to diagnose why the installation failed. Examples on how to use these switches are given in the procedure below.
You might often need to do a silent install on workstations that have different versions of Windows. If Windows or the Novell Client was installed from CD, then the VPN client install asks for those installation CDs. In this situation, the responses to the install prompts will depend on the version of Windows that is installed, so it is best to create a response file that queries the user for these installation CDs if needed.
To create this kind of a response file:
Perform a normal install of the VPN client without creating the response file. This installation might ask for the Windows and/or Novell Client CDs. Proceed normally through the installation.
After rebooting, run setup.exe again, this time creating the response file. This re-install will not query for the Windows or Novell Client install CDs, so the generated response file does not know what to answer when the user installation asks for the Windows or Novell Client CD. Because there is no answer in the response file, the user will be queried for the Windows or Novell Client CDs if they are needed.
To verify that the response file is working properly, run the installation in the silent mode on a workstation that does not have the VPN client installed. The install log file should show ResultCode=0.
The silent install feature only works with the setup.exe under the disk1 directory. It does not work with the self-extracting exe. The silent install feature is enabled by executing setup.exe under the disk1 directory with certain command line options.The available options for setup.exe are:
Depending on which of the two options is being used, the -f1 and -f2 options might also be used to specify filenames.
To use the silent install feature:
Create a response file by issuing the following command from disk1 of the VPN client disks:
setup.exe -r -f1"<RESPONSE_FILE>"
where <RESPONSE_FILE> contains the absolute path and name of the response file. The-f1"<RESPONSE_FILE>" option can be omitted, in which case a response file named setup.iss is created in the Windows or WinNT directory.
For example,
setup.exe -r -f1"c:\temp\setup.iss" executes the installation and saves the input to c:\temp\setup.iss
When using the -f1 and -f2 switches, do not put a space before the quotation marks. For example: -f1 "filename" will not work. -f1 "filename" will work.
Execute the installation based on previously captured input by issuing the following command from disk1 of the VPN client disks.
setup.exe -s -f1"<RESPONSE_FILE>" -f2"<LOG_FILE>"
where <RESPONSE_FILE> contains the absolute path and name of response file, and <LOG_FILE> contains the absolute path and name of log file.
For example, setup.exe -s -f1"c:\temp\setup.iss" -f2".\setup.log" executes the installation, taking input from setup.iss in the c:\temp directory, and records the result in the file setup.log in the same directory as setup.exe.
Verify that the silent install was successful by checking the contents of setup.log. You should see a result section with the following:
[ResponseResult]
ResultCode=0
A value of 0 for ResultCode indicates that installation was successful. A nonzero value indicates failure. The possible ResultCode values are:
The most common installation error code seen is -12. An error condition usually displays an error message dialog box requiring user input, such as Click OK to acknowledge the error. Because the response is not in the response file, the silent install process assumes that the response file has the dialog boxes out of order and reports error -12.
A batch file can be used to further automate the silent install process. For example, you could create the following install.bat in the DISK1 subdirectory: setup.exe -s -f1"c:\vpninst\disk1\response.txt" -f2"c:\temp\vpninst.log" rem. This assumes that the VPN client has been extracted to c:\vpninst. rem. It could be on a network drive, or somewhere else. Don't put a space between -f1 and the quotation mark. If the VPN Login icon shows up on your desktop, reboot, and the VPN client installation is finished.
If you have a file named vpnconfig.txt in your VPN client installation directory Disk1, the installation program will take VPN server addresses, authentication mode, NetWare server IP address, NMAS sequences, eDirectory context, whether to enable eDirectory login or not, and so forth from this file. The program will then update them into the workstation's Registry.
A sample vpnconfig.txt file is included on Disk1. You can modify this file according to your corporate requirements.
If your VPN server is your firewall, then the exception filters are already configured to allow this traffic to pass through. Filters need to be updated during VPN configuration.
Refer the following documents for detailed information on Novell BorderManager 3.9 at the the Novell Documentation Web site:
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
For the latest documentation and Readme on Novell BorderManager 3.9 VPN client on Linux, see the Novell Documentation Web site.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 1997-2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.